Summary

Warning

The session modules make use of HTTP cookies, and as such can fall
victim to Cross Site Scripting attacks, or expose potentially private
information to clients. Please ensure that the relevant risks have
been taken into account before enabling the session functionality on
your server.

This submodule of mod_session provides support for the
encryption of user sessions before being written to a local database, or
written to a remote browser via an HTTP cookie.

This can help provide privacy to user sessions where the contents of
the session should be kept private from the user, or where protection is
needed against the effects of cross site scripting attacks.

For more details on the session interface, see the documentation for
the mod_session module.

NSS with certificate database and parameters

NSS with paths containing spaces

The NSS crypto driver might have already been
configured by another part of the server, for example from
mod_nss or mod_ldap. If found to
have already been configured, a warning will be logged, and the
existing configuration will have taken affect. To avoid this
warning, use the noinit parameter as follows.

NSS with certificate database

SessionCryptoDriver nss noinit

To prevent confusion, ensure that all modules requiring NSS are configured with
identical parameters.

The openssl crypto driver supports an optional parameter to specify
the engine to be used for encryption.

The SessionCryptoPassphrase directive specifies the keys
to be used to enable symmetrical encryption on the contents of the session before
writing the session, or decrypting the contents of the session after reading the
session.

Keys are more secure when they are long, and consist of truly random characters.
Changing the key on a server has the effect of invalidating all existing sessions.

Multiple keys can be specified in order to support key rotation. The first key
listed will be used for encryption, while all keys listed will be attempted for
decryption. To rotate keys across multiple servers over a period of time, add a new
secret to the end of the list, and once rolled out completely to all servers, remove
the first key from the start of the list.

As of version 2.4.7 if the value begins with exec: the resulting command
will be executed and the first line returned to standard output by the program will be
used as the key.

The SessionCryptoPassphraseFile directive specifies the
name of a configuration file containing the keys to use for encrypting or decrypting
the session, specified one per line. The file is read on server start, and a graceful
restart will be necessary for httpd to pick up changes to the keys.

Unlike the SessionCryptoPassphrase directive, the keys are
not exposed within the httpd configuration and can be hidden by protecting the file
appropriately.

Multiple keys can be specified in order to support key rotation. The first key
listed will be used for encryption, while all keys listed will be attempted for
decryption. To rotate keys across multiple servers over a period of time, add a new
secret to the end of the list, and once rolled out completely to all servers, remove
the first key from the start of the list.

Notice:This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.